In May next year, the European Union's General Data Protection Regulation (‘GDPR’) will apply in the UK, profoundly altering the way in which companies collect, store, process and protect the personal information of customers, clients and employees. While the majority of insights and reports on GDPR’s impact warn for the burden it brings to operations, Steve Tang, a Senior Consultant Axis Corporate, warns that firms which treat the new regulation as a punitative burden are missing the point. Tang reflects on why the regulation represents a significant opportunity for post-Brexit UK.

What is GDPR?

A new EU regulation governing how organisations manage and structure their customer and employee data. Many of the stipulations are already covered in the UK’s Data Protection Act, but after May 2018, organisations will have to prove they have proper data-processing controls in place and that they comply with GDPR.

The GDPR is the most fundamental change in data protection legislation for the past 20 years and is the first attempt to create comprehensive and enforceable laws. The legislation will affect all domestic and international businesses operating in the EU – regardless of size. There are not just IT requirements – the impact will be felt across any organisation, from sales to marketing to HR.

What are the GDPR Principles?

Under the GDPR, there are data protection principles relating to the processing of personal data – and these are the main responsibilities for organisations:

Principal 1: ‘lawfulness, fairness and transparency’ – personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Principal 2: ‘purpose limitation’ – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is different to the original purposes.

Principal 3: ‘data minimisation’ – personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Principal 4: ‘accuracy’ – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data is erased or rectified without delay.

Principle 5: ‘storage limitation’ – personal data can only be kept in a form which allows the identification of data subjects for no longer than is necessary.

Principle 6: ‘integrity and confidentiality’ – personal data must be processed in a manner that ensures proper security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using proper technical or organisational measures.

Principle 7: ‘accountability’ – a controller shall be responsible for, and be able to prove compliance with the GDPR data protection principles.

‘Accountability’ is the keyword. Under the accountability principle, data controllers will be needed to implement proper organisational and technical measures to ensure that data processing is performed in accordance with the GDPR. This would include any ongoing reviews and updates to those measures.

Which companies are affected by the GDPR?

All companies which handle personal data of EU citizens must comply with the GDPR. This will include both companies with presence in an EU country as well as companies with no presence in the EU, but process personal data of EU citizens.

The GDPR may see big fines

If organisations do not comply with the GDPR, the regulator (the Information Commissioner’s Office or ‘ICO’ in the UK) can issue fines ranging from 4% of total worldwide annual turnover or €20 million, whichever is greater. Fines up to €10 million or 2% of total worldwide annual turnover can be applied for not putting in place adequate security or not reporting any breaches.

Organisations must acknowledge that the GDPR means bigger fines for internal failings, but also the benefits of getting data protection right. If companies demonstrate that they respect and protect personal data, this could be perceived as a competitive advantage. Conversely, if organisations cannot demonstrate good data protection under GDPR, this could lead to reputational damage and big fines.

What are the challenges to becoming GDPR compliant?

Within organisations, data controllers are probably wondering what measures they need to implement to be compliant with the GDPR principles. The GDPR gives very little guidance on how to implement appropriate measures as well as how to demonstrate compliance to the legislation. The UK GDPR Supervisory Authority is the Information Commissioner’s Office (“ICO”). The ICO has not published any practical guidance and signposting guidance. By the time they have published any guidance, it may be too close to the 25 May 2018 launch date. Much of the current commentary has focused on the burden that the GDPR will have on businesses. However, there are a host of opportunities which the regulation will bring to all organisations.

Brexit

The UK still needs to implement the GDPR regardless of whether the country is in or out of the EU. The GDPR applies not only to companies in the EU, but also to all companies that market their goods and services to EU citizens. If the UK is going to continue to trade with the EU post-Brexit, the flow of personal data will continue – and therefore will have to be protected. If UK firms become GDPR compliant, this will neatly align with the privacy aims of the legislation, making trade a lot easier.

Building positive consumer perceptions

How organisations handle personal data will be closely monitored by the consumers. Consumers have certain expectations on how their personal data is collected, used and protected by organisations. Over time, they have become aware of how their personal data is being used by organisations for targeted marketing opportunities. They are realising that privacy is more than just confidentiality and they want to know how organisations are using their personal data. If organisations put in place robust and transparent data handling practices, this will give consumers reassurance that their data is being protected and that they have the power to change their privacy controls. In other words, building trust with their consumers because they handle their personal data in the right way.

If organisations understand the need to build the right privacy controls and resolve any privacy issues, this will save any future pain from regulatory scrutiny and censure in the future. In effect, becoming GDPR compliant is an enabler for organisations to do things the right way – consumer analytics, predictive customer analysis and targeted marketing.

A springboard for innovation

The GDPR represents a fantastic opportunity for organisations to review what personal data they hold but also how they can use the data to innovate the products and services that they sell. If organisations start to think data-driven innovation, they can start to use concepts like privacy by design, profiling and data portability to design new products and services that will build trust with their consumers and ultimately drive sales.

If companies fail to embrace the GDPR, they will have inadequate protection from the rise in cyber attacks (which often lead to data breaches). Many organisations may see GDPR compliance as an onerous task, but this is outweighed by the benefits of putting their data to work through the data protection. Essentially, an organisation can extract the greatest value from consumer analytics, predictive customer analysis and targeted marketing, but only if they embrace the GDPR.